The named process is started by root and thus inherits roots privileges, as were traditionally needed, to access the DNS communication channel (port 53). BIND administrators know the named command accepts a -u username option which causes the process to switch user attributes after opening privileged interfaces. The idea being that should the service be compromised the effective user is not all powerful.
In the Solaris 10 Operating Environment the process privilege model, privileges(5), allows for a more fine-grained control. Coupled with the Service Management Facility, smf(5), services may inherit less privileges and alternative user process and group identities at start-up. Therefore under the Solaris 10 OE named may be configured at start to run with an alternative user identity making the -u option superfluous.
To have the BIND server named start with an alternative user identity and group under the Solaris 10 OE complete the following steps:
1. Add the user to the solaris.smf.manage.bind role
# usermod -A solaris.smf.manage.bind dnsadmin
# tail -1 /etc/user_attr
dnsadmin::::type=normal;auths=solaris.smf.manage.bind
#
Without this role the server, named, will be unable to manage it's SMF FMRI and named will automatically be restarted by SMF after an rndc stop or halt command. As indicated by the syslog message "error: smf_disable_instance() failed for svc:/network/dns/server:default : insufficient privileges for action"
2. Modify the service properties
# svccfg
svc:> select svc:/network/dns/server:default
svc:/network/dns/server:default> setprop start/user = dnsadmin
svc:/network/dns/server:default> setprop start/group = dnsadmin
svc:/network/dns/server:default> exit
# svcadm refresh svc:/network/dns/server:default
# svcadm restart svc:/network/dns/server:default
3. Specify an alternative location for the pid-file
As only root has write access to create the default pid-file; /var/run/named.pid named must be configured to use an alternative path. For Example:
# mkdir /var/named/tmp
# chown dnsadmin /var/named/tmp # head /etc/named.conf
options {
directory "/var/named";
pid-file "/var/named/tmp/named.pid";
};
zone "0.0.127.in-addr.arpa" in {
type master;
file "db.127.0.0";
};
#
Updated 25 Feb 2009 with instructions on how to add user to authority.
